Meet-in-the-Middle Attack on Reduced Versions of the Camellia Block Cipher⋆ Jiqiang Lu1,⋆⋆ , Yongzhuang Wei2,3 , Enes Pasalic4 , and Pierre-Alain Fouque5 1

Institute for Infocomm Research, Agency for Science, Technology and Research, 1 Fusionopolis Way, Singapore 138632 [email protected], [email protected] 2 Guilin University of Electronic Technology, Guilin City, Guangxi Province 541004, China 3 State Key Lab of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100190, China walker− [email protected] 4 University of Primorska FAMNIT, Koper, Slovenia [email protected] 5 ´ D´epartement d’Informatique, Ecole Normale Sup´erieure, 45 Rue d’Ulm, Paris 75005, France [email protected]

Abstract. The Camellia block cipher has a 128-bit block length and a user key of 128, 192 or 256 bits long, which employs a total of 18 rounds for a 128-bit key and 24 rounds for a 192 or 256-bit key. It is a Japanese CRYPTREC-recommended e-government cipher, a European NESSIE selected cipher, and an ISO international standard. In this paper, we describe a few 5 and 6-round properties of Camellia and finally use them to give (higher-order) meet-in-the-middle attacks on 10-round Camellia with the FL/FL−1 functions under 128 key bits, 11-round Camellia with the FL/FL−1 and whitening functions under 192 key bits and 12-round Camellia with the FL/FL−1 and whitening functions under 256 key bits.

Key words: Block cipher, Camellia, Meet-in-the-middle attack. ⋆

⋆⋆

This paper was published in Advances in Information and Computer Security – IWSEC ’12 — The 7th International Workshop on Security, November 7–9, Fukuoka, Japan, Goichiro Hanaoka, Toshihiro Yamauchi (eds), Volume 7631 of Lecture Notes in Computer Science, pp. 197–215, Springer-Verlag, 2012. The work was supported by the French ANR project SAPHIR II (No. ANR-08-VERS-014), the Natural Science Foundation of China (No. 61100185), Guangxi Natural Science Foundation (No. 2011GXNSFB018071), and the Foundation of Guangxi Key Lab of Wireless Wideband Communication and Signal Processing (No. 11101). ´ The author was with Ecole Normale Sup´erieure (France) when an earlier version of this work, comprising the MitM results without whitening functions, was completed.

2

1

Introduction

Camellia [1] is a 128-bit block cipher with a user key length of 128, 192 or 256 bits, which employs a total of 18 rounds if a 128-bit key is used and a total of 24 rounds if a 192/256-bit key is used. It has a Feistel structure with keydependent logical functions FL/FL−1 inserted after every six rounds, plus four additional whitening operations at both ends. Camellia became a CRYPTREC egovernment recommended cipher [8] in 2002, a NESSIE selected block cipher [25] in 2003, and was adopted as an ISO international standard [16] in 2005. In this work, we consider the version of Camellia that has the FL/FL−1 functions, and for simplicity, we denote by Camellia-128/192/256 the three versions of Camellia that use 128, 192 and 256 key bits, respectively. The security of Camellia has been analysed against a variety of cryptanalytic techniques, including differential cryptanalysis [5], truncated differential cryptanalysis [17], higher-order differential cryptanalysis [17, 20], linear cryptanalysis [24], integral cryptanalysis [9, 15, 19], boomerang attack [27], rectangle attack [4], collision attack [26] and impossible differential cryptanalysis [3, 18]; and many cryptanalytic results on Camellia have been published, of which impossible differential cryptanalysis is the most efficient technique (in terms of the numbers of attacked rounds), that broke 11-round Camellia-128, 12-round Camellia-192 and 14-round Camellia-256 [2,21], presented most recently at FSE 2012 and ISPEC 2012.1 The meet-in-the-middle (MitM) attack was introduced in 1977 by Diffie and Hellman [11]. It usually treats a block cipher E : {0, 1}n × {0, 1}k → {0, 1}n as a cascade of two sub-ciphers E = Ea ◦ Eb . Given a guess for the subkeys used in Ea and Eb , if a plaintext produces just after Ea the same value as the corresponding ciphertext produces just before Eb , then this guess for the subkeys is likely to be correct; otherwise, this guess must be incorrect. Thus, we can find the correct subkey, given a sufficient number of matching plaintext-ciphertext pairs in a known-plaintext attack scenario. In a chosen-plaintext attack scenario, things may get better, and as in [10], by choosing a set of plaintexts with a particular property we may be able to express the concerned value-in-the-middle as a function of plaintext and a smaller number of unknown constants than the number of unknown constants (of the same length) from the subkey involved. In 2011 Lu et al. [23] proposed an extension of the MitM attack, known as the higher-order MitM (HO-MitM) attack, which is based on using multiple plaintexts to cancel some key-dependent component(s) or parameter(s) when constructing a basic unit of “value-in-the-middle”. The HO-MitM attack technique can lead to some better cryptanalytic results than the MitM attack technique in certain circumstances. In particular, Lu et al. found some 5 and 6-round HOMitM properties of Camellia that were used to break 10-round Camellia-128, 1

When the earlier version of our work was completed, the best previously published results on Camellia with FL/FL−1 functions were square attack on 9-round Camellia128 [12], impossible differential attack on 10-round Camellia-192 [7], and higher-order differential and impossible differential attacks on 11-round Camellia-256 [7, 13].

3 Table 1. Main cryptanalytic results on Camellia with FL/FL−1 functions Cipher Attack Type

Rounds Data

Memory

Time

Source

Camellia- Square 128 Impossible differential

248 CP 253 Bytes 2122 Enc. [12] 2118 CP 293 Bytes 2118 Enc. [22] 2120.5 CP 2115.5 Bytes 2123.8 Enc. [2]§ 122 102 122 2 CP 2 Bytes 2 Enc. [21]§ 93 109 118.6 2 CP 2 Bytes 2 Enc. [23] 256 CP 290 Bytes 2121.5 Enc. Sect. 4.2 256 CP 2105 Bytes 2121.5 Enc. Sect. 3.2

Camellia- Impossible differential 192

2121 CP 2155.2 Bytes 2144 Enc. [7] 2121 CP 2155.2 Bytes 2175.3 Enc. [7] 2118 CP 2141 Bytes 2163.1 Enc. [22] 2120.6 CP 2171.6 Bytes 2171.4 Enc. [2]§ 123 160 187.2 2 CP 2 Bytes 2 Enc. [21]§ 94 174 180.2 2 CP 2 Bytes 2 Enc. [23] 256 CP 2165 Bytes 2173.4 Enc. Sect. 4.3 280 CP 2105 Bytes 2189.4 Enc. Sect. 3.3 256 CP 2185 Bytes 2185.2 Enc. Sect. 3.4

Camellia- Higher-order differential 11‡ 256 Impossible differential 11† 13† 14 14 HO-MitM (256 inputs) 12 (2 inputs) 12† (2 inputs) 12† MitM 12 12†

293 CP 298 Bytes 2255.6 Enc. 2121 CP 2166 Bytes 2206.8 Enc. 2123 CP 2208 Bytes 2251.1 Enc. 2121.2 CP 2180.2 Bytes 2238.3 Enc. 2120 CC 2125 Bytes 2250.5 Enc. 294 CP 2174 Bytes 2237.3 Enc. 219 CP 2221 Bytes 2223.2 Enc. 256 CP 2165 Bytes 2237.9 Enc. 256 CP 2185 Bytes 2219.9 Enc. 256 CP 2185 Bytes 2239.9 Enc.

9 10 11 11† HO-MitM (256 inputs) 10 (2 inputs) 10 MitM 10 10 10† 11 12 12† HO-MitM (256 inputs) 11 (2 inputs) 11† MitM 11 11†

[13, 22] [7] [21]§ [2]§ [21]§ [23] [6]§ ,Sect. 4 Sect. 4.4 Sect. 3.5 Sect. 3.6

§: Newly emerging results; †: Include whitening operations; ‡: Can include whitening operations by making use of an equivalent structure of Camellia.

11-round Camellia-192 and 12-round Camellia-256, but the corresponding 5 and 6-round MitM properties can enable us to break only 12-round Camellia-256. In this paper, we analyse the security of Camellia (with the FL/FL−1 functions) against the MitM attack in detail, following the work in [23]. In all those 5 and 6-round (higher-order) MitM properties of Camellia owing to Lu et al. [23], the basic unit of value-in-the-middle is one byte long. Nevertheless, we observe that if we consider only a smaller number of bits of the concerned byte, instead of the whole 8 bits, a few 5 and 6-round MitM properties with a smaller number of unknown 1-bit constant parameters can be obtained. This is owing to the fact that an output bit of the FL−1 function only relies on a small fraction of the bits of the subkey used in the FL−1 function (as well as a few input bits to FL−1 ), thus reducing the number of unknown 1-bit constant parameters when

4

we consider a fraction of the bits of the concerned byte. As a consequence, the 5 and 6-round MitM properties can be used to conduct MitM attacks on 10round Camellia-128 with only FL/FL−1 functions, 11-round Camellia-192 with FL/FL−1 and whitening functions and 12-round Camellia-256 with FL/FL−1 and whitening functions. At last, we brief 5 and 6-round HO-MitM properties obtained from the 5 and 6-round MitM properties by taking XOR under two plaintexts to cancel several 1-bit constant parameters, which can be used to conduct HO-MitM attacks on the same numbers of rounds as the MitM attacks. Table 1 summarises previous, our and the newly emerging main cryptanalytic results on Camellia, where CP and CC refer respectively to the numbers of chosen plaintexts and chosen ciphertexts, and Enc. refers to the required number of encryption operations of the relevant reduced version of Camellia. The remainder of the paper is organised as follows. In the next section, we describe the notation and the Camellia block cipher. We present our MitM results on Camellia in Section 3, and give our HO-MitM results on Camellia in Section 4. Concluding remarks are given in Section 5.

2

Preliminaries

In this section we give the notation used throughout this paper, and then briefly describe the Camellia block cipher. 2.1

Notation

The bits of a value are numbered from left to right, starting with 1. We use the following notation throughout this paper. ⊕

bitwise logical exclusive OR (XOR) of two bit strings of the same length ∩ bitwise logical AND of two bit strings of the same length ∪ bitwise logical OR of two bit strings of the same length ≪ left rotation of a bit string || bit string concatenation ◦ functional composition. When composing functions X and Y, X ◦ Y denotes the function obtained by first applying X and then Y X bitwise logical complement of a bit string X X[i1 ,· · ·, ij ]the j-bit string of bits (i1 , · · · , ij ) of a bit string X 2.2

The Camellia Block Cipher

Camellia [1] has a Feistel structure, a 128-bit block length, and a user key length of 128, 192 or 256 bits. It uses the following five functions: – S : {0, 1}64 → {0, 1}64 is a non-linear substitution constructed by applying eight 8 × 8-bit S-boxes S1 , S2 , S3 , S4 , S5 , S6 , S7 and S8 in parallel to the input.

5

– P : GF (28 )8 → GF (28 )8 is a linear permutation which is equivalent to premultiplication by a 8 × 8 byte matrix P; the matrix P and its reverse P−1 are as follows. 1 0 1 1 0 1 1 1 0 1 1 1 0 1 1 1 11 0 1 1 0 1 1

1 1 1 0 1 1 0 1 0 1 1 1 1 1 1 0 P = 1 1 0 0 0 1 1 1,   0 1 1 0 1 0 1 1 00 1 1 1 1 0 1 10 0 1 1 1 1 0

10 1 1 1 0 1 1

P

−1

1 1 0 1 1 1 0 1 1 1 1 0 1 1 1 0  = 1 1 0 0 1 0 1 1. 0 1 1 0 1 1 0 1 00 1 1 1 1 1 0 10 0 1 0 1 1 1

– F : {0, 1}64 × {0, 1}64 → {0, 1}64 is a Feistel function. If X and Y are 64-bit blocks, F(X, Y ) = P(S(X ⊕ Y )). – FL/FL−1 : {0, 1}64 ×{0, 1}64 → {0, 1}64 are key-dependent linear functions. If X = (XL ||XR ) and Y = (YL ||YR ) are 64-bit blocks, then FL(X, Y ) = ((((XL ∩ YL ) ≪ 1 ⊕ XR ) ∪ YR ) ⊕ XL )||((XL ∩ YL ) ≪ 1 ⊕ XR ), and FL−1 (X, Y ) = (XL ⊕ (XR ∪ YR ))||(((XL ⊕ (XR ∪ YR )) ∩ YL ) ≪ 1 ⊕ XR ). Camellia uses a total of four 64-bit whitening subkeys KWj , 2⌊ Nr6−6 ⌋ 64bit subkeys KIl for the FL and FL−1 functions, and Nr 64-bit round subkeys Ki , (1 6 j 6 4, 1 6 l 6 2⌊ Nr6−6 ⌋, 1 6 i 6 Nr ), all derived from a Nk -bit key K, where Nr is 18 for Camellia-128, and 24 for Camellia-192/256, Nk is 128 for Camellia-128, 192 for Camellia-192, and 256 for Camellia-256. The key schedule is as follows. First, generate two 128-bit strings KL and KR from K in the following way: For Camellia-128, KL is the 128-bit key K, and KR is zero; for Camellia-192, KL is the left 128 bits of K, and KR is the concatenation of the right 64 bits of K and the complement of the right 64 bits of K; and for Camellia-256, KL is the left 128 bits of K, and KR is the right 128 bits of K. Second, depending on the key size, generate one or two 128-bit strings KA and KB from (KL , KR ) by a non-linear transformation (see [1] for its detail). Finally, the subkeys are as follows.2 – For Camellia-128: K2 = (KA ≪ 0)[65 ∼ 128], K3 = (KL ≪ 15)[1 ∼ 64], K9 = (KA ≪ 45)[1 ∼ 64], K10 = (KL ≪ 60)[65 ∼ 128], K11 = (KA ≪ 60)[1 ∼ 64], · · ·. – For Camellia-192/256: K7 = (KB ≪ 30)[1 ∼ 64], K8 = (KB ≪ 30)[65 ∼ 128], K13 = (KR ≪ 60)[1 ∼ 64], K14 = (KR ≪ 60)[65 ∼ 128], K15 = (KB ≪ 60)[1 ∼ 64], K16 = (KB ≪ 60)[65 ∼ 128], K17 = (KL ≪ 77)[1 ∼ 64], K18 = (KL ≪ 77)[65 ∼ 128], K21 = (KA ≪ 94)[1 ∼ 64], K22 = (KA ≪ 94)[65 ∼ 128], K23 = (KL ≪ 111)[1 ∼ 64], · · ·. Below is the encryption procedure Camellia, where P is a 128-bit plaintext, b i and R bi are 64-bit variables. represented as 16 bytes, and L0 , R0 , Li , Ri , L 1. L0 ||R0 = P ⊕ (KW1 ||KW2 ) 2. For i = 1 to Nr : 2

Here we give only the subkeys concerned in this paper, (KA ≪ 0)[65 ∼ 128] represents bits (65, 66, · · · , 128) of (KA ≪ 0), and so on.

6

if i = 6 or 12 (or 18 for Camellia-192/256), b i = F(Li−1 , Ki ) ⊕ Ri−1 , R bi = Li−1 ; L b i , KI i ), Ri = FL−1 (R bi , KI i ); Li = FL(L 3 −1 3 else Li = F(Li−1 , Ki ) ⊕ Ri−1 , Ri = Li−1 ; 3. Ciphertext C = (RNr ⊕ KW3 )||(LNr ⊕ KW4 ). We refer to the ith iteration of Step 2 in the above description as Round i, and write Ki,j for the j-th byte of Ki , (1 6 j 6 8).

3

MitM Attacks on 10-Round Camellia-128, 11-Round Camellia-192 and 12-Round Camellia-256

In this section we first give the 5 and 6-round MitM properties and then present our MitM attacks on Camellia with FL/FL−1 functions. 3.1

MitM Properties for 5 and 6-Round Camellia

We assume the 5-round Camellia is from Rounds 4 to 8, and the 6-round Camellia is from Rounds 3 to 8; see Fig. 1-(a). The MitM properties are as follows, and their proof is given in the Appendix. (i)

(i)

Proposition 1. Suppose a set of 256 sixteen-byte values X (i) = (XL ||XR ) = (m1 , m2 , m3 , m4 , m5 , m6 , m7 , m8 , x(i) , m9 , m10 , m11 , m12 , m13 , m14 , m15 ) with x(i) taking all the possible values in {0, 1}8 and the other 15 bytes m1 , m2 , · · · , m15 fixed to arbitrary values, (i = 1, · · · , 256). Then: (i)

(i)

1. If Z (i) = (ZL ||ZR ) is the result of encrypting X (i) using Rounds 4 to 8 (i) with the FL/FL−1 functions between Rounds 6 and 7, then P−1 (ZR )[49 ∼ (i) (49 + ω)] can be expressed with a function of x and 100 + 15 × ω constant 1-bit parameters c1 , c2 , · · · , c100+15×ω , written Θc1 ,c2 ,···,c100+15×ω (x(i) ), where 0 6 ω 6 6. (i) (i) 2. If Z (i) = (ZL ||ZR ) is the result of encrypting X (i) using Rounds 3 to 8 (i) −1 with the FL/FL functions between Rounds 6 and 7, then P−1 (ZR )[41 ∼ (41 + ω)] can be expressed with a function of x(i) and 164 + 15 × ω constant 1-bit parameters c′1 , c′2 , · · · , c′164+15×ω , written Υc′1 ,c′2 ,···,c′164+15×ω (x(i) ), where 0 6 ω 6 6. 3.2

Attacking 10-Round Camellia-128 without Whitening Functions

A simple analysis on the key schedule of Camellia-128 reveals the following property. Property 1 For Camellia-128, given a value of (K2,1 , K2,2 , K2,3 , K2,5 , K2,8 , K3,1 ) there are only 60 unknown bits of (K9,7 , K10,3 , K10,4 , K10,5 , K10,6 , K10,8 , K11 ).

7 (i)

(i)

XL

XR K3 Y

⊕ (i) L 3

K4 Y

⊕ L

(i) 4

(i) 3

S (i) 4

(i) 5

(i) 5

S

K6

⊕

(i) 4

W

P

(i) 6

S

W

P

⊕

FL Y

⊕

(i) 7

W

P

S

(i) 7

(i) 7

−1 R

KW4

Y

⊕

S

(i) 8

W

P

⊕

(i)

⊕

(i) 8

S

P

⊕

P

⊕

P

⊕

K10 ⊕ KW3

(i) 7

⊕

S

K11 ⊕ KW4

⊕ ZL

KW3

(i) 6

⊕ R

K8

⊕

K9 ⊕ KW4

⊕ L

KW2

Rounds 3 to 8

⊕

K7

⊕

KW1

(i) 5

b6(i)

FL

P

(i) 4

R

(i) 6

⊕

⊕

(i) b L 6

L

S

⊕

⊕

(i) 6

P

K2 ⊕ KW2

⊕

(i) 5

S

⊕

(i) R 3

R Y

⊕

K1 ⊕ KW1

(i) 3

R Y

L

W

P

S

K5

⊕

W

P

S

(i)

5-round:

6-round:

ZR

(b): 11-round Camellia

(a): 5 and 6-round Camellia

Fig. 1. 5 and 6-round Camellia with FL/FL−1 functions and an equivalent structure of 11-round Camellia with whitening operations

The 5-round MitM property given in Proposition 1-1 allows us to break 10-round Camellia-128 with FL/FL−1 functions, but without the whitening functions. Below is the procedure for attacking Rounds 2 to 11, where the 5round MitM property with ω = 0 is used from Rounds 4 to 8, and the approach used to choose plaintexts with δ was introduced in [22].

1. For each of 2100 possible values of the 100 one-bit parameters c1 , c2 , · · · , c100 , precompute Θc1 ,c2 ,···,c100 (z) sequentially for z = 0, 1, · · · , 255. Store the 2100 256-bit sequences in a hash table LΘ . 2. Randomly choose six 8-bit constants γ1 , γ2 , · · · , γ6 , and define a secret parameter δ to be δ = S4 (γ1 ⊕K2,4 )⊕S6 (γ2 ⊕K2,6 )⊕S7 (γ3 ⊕K2,7 )⊕γ4 ⊕γ5 ⊕γ6 . 3. Guess a value for (K2,1 , K2,2 , K2,3 , K2,5 , K2,8 , K3,1 , δ), and we denote the ∗ ∗ ∗ ∗ ∗ ∗ guessed value by (K2,1 , K2,2 , K2,3 , K2,5 , K2,8 , K3,1 , δ ∗ ). Then for x = 0, 1, · · · , (x)

(x)

255, choose plaintext P (x) = (PL , PR ) in the following way, where α1 , α2 ,

8

· · · , α5 , β1 , β2 , · · · , β7 are randomly chosen 8-bit constants: S (x)

PL =

S

(x) PR

=



T ∗ 1 (x ⊕ K3,1 ) ⊕ α1 ∗ S1 (x ⊕ K3,1 ) ⊕ α2  S (x ⊕ K ∗ ) ⊕ α  3  1 3,1  γ1  ∗  S1 (x ⊕ K3,1 ) ⊕ α4     γ2  γ3 ∗ S1 (x ⊕ K3,1 ) ⊕ α5

,

∗ 1 (S1 (x ⊕ K3,1 ) ⊕ α1 ∗ S2 (S1 (x ⊕ K3,1 α2  S (S (x ⊕ K ∗ )) ⊕  3 1 3,1 ⊕ α3  P  γS45 (S1 (x ⊕ K ∗ ) ⊕ α4 3,1   γ5 γ6 ∗ S8 (S1 (x ⊕ K3,1 ) ⊕ α5



∗ ⊕ K2,1 ) T ∗ ⊕ K2,2 )  ∗ ⊕ K2,3 )

 ∗ ⊕ K2,5 )   ∗ ⊕ K2,8 )

 x ⊕ δ ∗ T   ⊕  

β1 β2 β3 β4 β5 β6 β7

   .  

In a chosen-plaintext attack scenario, obtain the ciphertexts for the plaintexts; we denote by C (x) the ciphertext for plaintext P (x) . 4. Guess a value for (K9,7 , K10,3 , K10,4 , K10,5 , K10,6 , K10,8 , K11 ), and we denote ∗ ∗ ∗ ∗ ∗ ∗ ∗ ). Then, par, K11 , K10,8 , K10,6 , K10,5 , K10,4 , K10,3 the guessed value by (K9,7 ∗ ∗ ∗ ∗ (x) ∗ , , K10,8 tially decrypt every ciphertext C with (K10,3 , K10,4 , K10,5 , K10,6 ∗ K11 ) to get the corresponding value for bytes (1, 2, · · · , 8, 15) just before (x) (x) (x) Round 10, and we denote it by (L9 , R9,7 ); compute T (x) = P−1 (L9 )[49] ⊕ ∗ )[49]. Next, check whether the sequence (T (0) , T (1) , · · · , T (255) ) S7 (R9,7 ⊕K9,7 ∗ ∗ ∗ , , K2,3 , K2,2 matches a sequence in LΘ ; if yes, record the guessed value (K2,1 ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ K2,5 , K2,8 , K3,1 , K9,7 , K10,3 , K10,4 , K10,5 , K10,6 , K10,8 , K11 ) and execute Step 5; otherwise, repeat Step 1 with another subkey guess (if all the subkey possibilities are tested in Step 4, repeat Step 3 with another subkey guess). 5. For every recorded value for (K10,3 , K10,4 , K10,5 , K10,6 , K10,8 ), exhaustively search the remaining 11 key bytes. (x)

The attack requires 256 chosen plaintexts. The one-off precomputation requires a memory of 2100 × 256 × 18 = 2105 bytes, and has a time complexity of 1 ≈ 2109.7 10-round Camellia-128 encryptions under the rough 2100 × 256 × 2 × 10 estimate that a computation of Θc1 ,c2 ,···,c100 (z) equals 2 one-round Camellia-128 ∗ ∗ ∗ ∗ ∗ , , K2,3 , K2,5 , K2,8 , K2,2 encryptions in terms of time. If the guessed value (K2,1 ∗ ∗ K3,1 , δ ) is correct, the input to Round 4 must have the form (m1 , m2 , m3 , m4 , m5 , m6 , m7 , m8 , x, m9 , m10 , m11 , m12 , m13 , m14 , m15 ), where m1 , · · · , m15 are indeterminate constants. 1+5 Step 3 has a time complexity of about 256 × 256 × 8×10 ≈ 260.3 10-round Camellia-128 encryptions. Folllowing Property 1, we learn that the time complex121.5 ity of Step 4 is approximately 256+60 × 256 × 8+5+1 10-round Camellia8×10 ≈ 2 ∗ ∗ ∗ ∗ ∗ ∗ 128 encryptions. In Step 4, if the guessed value (K2,1 , K2,2 , K2,3 , K2,5 , K2,8 , K3,1 , ∗ ∗ ∗ ∗ ∗ ∗ ∗ δ ∗ , K9,7 , K10,3 , K10,4 , K10,5 , K10,6 , K10,8 , K11 ) is correct, the sequence (T (0) , T (1) , ∗ ∗ ∗ · · · , T (255) ) must match a sequence in LΘ ; if the guessed value (K2,1 , K2,2 , K2,3 , ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ K2,5 , K2,8 , K3,1 , δ , K9,7 , K10,3 , K10,4 , K10,5 , K10,6 , K10,8 , K11 ) is wrong, the probability that the sequence (T (0) , T (1) , · · · , T (255) ) matches a sequence in LΘ is

9

( 100 ) 100 1− 2 0 (2−256 )0 (1−2−256 )2 ≈ 2−256 ×2100 = 2−156 , (assuming the event has a binomial distribution). Consequently, it is expected that at most 256+60 ×2−156 = 2−40 values for (K2,1 , K2,2 , K2,3 , K2,5 , K2,8 , K3,1 , K9,7 , K10,3 , K10,4 , K10,5 , K10,6 , K10,8 , K11 ) are recorded in Step 4. Since a total of 40 bits of KL can be known from the recorded (K10,3 , K10,4 , K10,5 , K10,6 , K10,8 ), Step 5 takes at most 288 10-round Camellia-128 encryptions to find the correct 128-bit user key. Therefore, the attack has a memory complexity of 2105 bytes and a total time complexity of approximately 2121.5 10-round Camellia-128 encryptions. Note that we can also attack Rounds 8 to 17 (without whitening functions) by applying the 5-round MitM property with ω = 0 from Rounds 10 to 14. This attack has the same data and memory complexity as the above 10-round Camellia-128 attack, but has a total time complexity of approximately 256+65 × 126.5 10-round Camellia-128 encryptions. 256 × 8+5+1 8×10 ≈ 2 3.3

Attacking 11-Round Camellia-192 without Whitening Functions

Both the 5 and 6-round MitM properties given in Proposition 1 can be used to attack 11-round Camellia-192 with FL/FL−1 functions, excluding the whitening functions. We first brief an attack on Rounds 13 to 23 using the 5-round MitM property with ω = 0, where we guess (K13 , K14 , K15,1 , K21,7 , K22,3 , K22,4 , K22,5 , K22,6 , K22,8 , K23 ). Note that the following property holds for Camellia-192. Property 2 For Camellia-192, there is no overlapping bit between (K13 , K14 , K15,1 ) and (K21,7 , K22,3 , K22,4 , K22,5 , K22,6 , K22,8 , K23 ). The attack is very similar to the above 10-round Camellia-128 attack, except ∗ ∗ ∗ ) , K15,1 , K14 that we use a different approach to choose plaintexts: Denote by (K13 a guess for (K13 , K14 , K15,1 ), and then for x = 0, 1, · · · , 255, choose plaintext (x) (x) P (x) = (PL , PR ) as below, where α1 , α2 , · · · , α8 , β1 , β2 , · · · , β7 are randomly chosen 8-bit constants.  S1 (S1 (x ⊕ K ∗ (x) PL

   = P  

15,1 ) ∗ S2 (S1 (x ⊕ K15,1 ) ∗ S3 (S1 (x ⊕ K15,1 ) ∗ S4 (α4 ⊕ K14,4 ) ∗ S5 (S1 (x ⊕ K15,1 ) ∗ S6 (α6 ⊕ K14,6 ) ∗ S7 (α7 ⊕ K14,7 ) ∗ S8 (S1 (x ⊕ K15,1 )

 ∗ ) T ⊕ α1 ⊕ K14,1 ∗ ⊕ α2 ⊕ K14,2 ) ∗ ⊕ α3 ⊕ K14,3 )  

∗ ⊕ α5 ⊕ K14,5 ) 



∗ ⊕ α8 ⊕ K14,8 )

S

∗ PR = F(PL , K13 )⊕ (x)

(x)

 ⊕



x T β1  β2   β3     β4   β5  β6 β7

T ∗ 1 (x ⊕ K15,1 ) ⊕ α1 ∗ S1 (x ⊕ K15,1 ) ⊕ α2  S (x ⊕ K ∗ ) ⊕ α  3  1 15,1  α4  ∗  S1 (x ⊕ K15,1 ) ⊕ α5     α6  α7 ∗ S1 (x ⊕ K15,1 ) ⊕ α8

,

.

There are 264+8 = 272 possible values for (K13 , K14 , K15,1 ). Similarly, the attack requires 256×272 = 280 chosen plaintexts and a memory of 2100 ×256× 18 =

10

2105 bytes, and has a total time complexity of approximately 2100 × 256 × 2 × 1 72+112 189.4 × 256 × 8+5+1 11-round Camellia-192 encryptions. 11 + 2 8×11 ≈ 2 We can use the 6-round MitM property to break Rounds 13 to 23. We choose ω = 0. The attack is similar to the 10-round Camellia-128 attack described in Section 3.2, except the following two points: (1) There are 164 one-bit parameters c′1 , c′2 , · · · , c′164 in the off-line precomputation phase; and (2) We append three rounds (i.e., Rounds 21 to 23) after the 6-round MitM property. There are only 240 possible values for (K13,1 , K13,2 , K13,3 , K13,5 , K13,8 , K14,1 ), and thus the attack requires 256×240+8 = 256 chosen plaintexts. After a similar analysis, we get that the off-line precomputation requires a memory of 2164 ×256× 81 = 2169 bytes 1 and has a time complexity of 2164 × 256 × 3 × 11 ≈ 2170.2 11-round Camellia-192 encryptions under the rough estimate that a computation of Υc′1 ,c′2 ,···,c′164 (·) equals 3 one-round Camellia-192 encryptions in terms of time. The time complexity in 165.4 the key-recovery phase is approximately 248+112 × 256 × 8+5+1 11-round 8×11 ≈ 2 Camellia-192 encryptions. We can obtain a data–memory–time tradeoff [14] version from this 11-round Camellia-192 attack, which has a data complexity of 259.4 chosen plaintexts, a memory complexity of 2167.6 bytes and a total time complexity of 2169.8 11-round Camellia-192 encryptions.

3.4

Attacking 11-Round Camellia-192 with Whitening Functions

The 6-round MitM property can also be used to mount an MitM attack on 11-round Camellia-192 with FL/FL−1 and whitening functions, by taking advantage of an equivalent structure of 11-round Camellia as depicted in Fig. 1-(b). Here we attack the first 11 rounds of Camellia-192, and choose ω = 1. b 1 = K1 ⊕ KW1 , K b 2 = K2 ⊕ KW2 , K b9 = Define equivalent round subkeys K b 10 = K10 ⊕KW3 , K b 11 = K11 ⊕KW4 . Below is the attack procedure. K9 ⊕KW4 , K 1. For each of 2179 possible values of the 179 one-bit parameters c′1 , c′2 , · · · , c′179 , precompute Υc′1 ,c′2 ,···,c′179 (z) sequentially for z = 0, 1, · · · , 255. Store the 2179 512-bit sequences in a hash table LΥ . 2. Randomly choose six 8-bit constants γ1 , γ2 , · · · , γ6 , and define a secret pab 1,4 ) ⊕ S6 (γ2 ⊕ K b 1,6 ) ⊕ S7 (γ3 ⊕ K b 1,7 ) ⊕ rameter δ = KW2 [1 ∼ 8] ⊕ S4 (γ1 ⊕ K γ4 ⊕ γ5 ⊕ γ6 . b 1,1 , K b 1,2 , K b 1,3 , K b 1,5 , K b 1,8 , K2,1 , δ), and we denote the 3. Guess a value for (K ∗ ∗ ∗ ∗ ∗ ∗ b b b b b , δ ∗ ). Then for x = 0, 1, · · · , guessed value by (K1,1 , K1,2 , K1,3 , K1,5 , K1,8 , K2,1 (x)

(x)

255, choose plaintext P (x) = (PL , PR ) in the following way, where α1 , α2 , · · · , α5 , β1 , β2 , · · · , β7 are randomly chosen 8-bit constants: S (x)

PL =



T ∗ 1 (x ⊕ K2,1 ) ⊕ α1 ∗ S1 (x ⊕ K2,1 ) ⊕ α2  S (x ⊕ K ∗ ) ⊕ α  3  1 2,1   γ1 ∗  S1 (x ⊕ K2,1 ) ⊕ α4      γ2 γ3 ∗ S1 (x ⊕ K2,1 ) ⊕ α5

,

11



(x) PR

=

∗ S1 (S1 (x ⊕ K2,1 ) ⊕ α1 ∗ S (S (x ⊕ K 2 1  2,1 ) ⊕ α2 ∗  S3 (S1 (x ⊕ K2,1 ) ⊕ α3 γ 4  P ∗  Sγ5 (S1 (x ⊕ K2,1 ) ⊕ α4 5  γ6 ∗ S8 (S1 (x ⊕ K2,1 ) ⊕ α5



b 1,1 ) T ⊕K b 1,2 ) ⊕K  b 1,3 )  ⊕K

  b 1,5 )  ⊕K   b 1,8 ) ⊕K

 x ⊕ δ ∗ T   ⊕  

β1 β2 β3 β4 β5 β6 β7

   .  

In a chosen-plaintext attack scenario, obtain the ciphertexts for the plaintexts; we denote by C (x) the ciphertext for plaintext P (x) . b 9,6 , K b 10,2 , K b 10,3 , K b 10,5 , K b 10,7 , K b 10,8 , 4. Guess a value for (P−1 (KW3 )[41 ∼ 42], K −1 ∗ ∗ ∗ b b b K11 ), and we denote the guessed value by (P (KW3 ) [41 ∼ 42], K9,6 , K10,2 , b∗ , K b∗ , K b∗ , K b∗ , K b ∗ ). Then partially decrypt every ciphertext C (x) K 10,3 10,5 10,7 10,8 11 b∗ , K b∗ , K b∗ , K b∗ , K b∗ , K b ∗ ) to get the corresponding value with (K 10,2 10,3 10,5 10,7 10,8 11 for bytes (1, 2, · · · , 8, 14) immediately before Round 10; and we denote it by (i,x) (i,x) (L9 , R9,6 ). Next, compute ∗ T (x) = P−1 (KW3 )∗ [41 ∼ 42]⊕P−1 (L9 )[41 ∼ 42]⊕S6 (R9,6 ⊕K9,6 )[41 ∼ 42]. (x)

(x)

Finally, check whether the sequence (T (0) , T (1) , · · · , T (255) ) matches a seb∗ , b∗ , K b∗ , K b∗ , K b∗ , K quence in LΥ ; if yes, record the guessed value (K 1,8 1,5 1,3 1,2 1,1 ∗ b ∗ ) and execute Step 5; otherb∗ , K b∗ , K b∗ , K b∗ , K b∗ , K b∗ , K ,K K2,1 11 10,8 10,7 10,5 10,3 10,2 9,6 wise, repeat Step 4 with another subkey guess (if all the subkey possibilities are tested in Step 4, repeat Step 3 with another subkey guess). 5. For every recorded subkey guess, determine the correct user key. The attack requires 256 chosen plaintexts. The one-off precomputation requires a memory of 2179 × 256 × 28 = 2185 bytes, and has a time complexity of 1 2179 × 256 × 3 × 11 ≈ 2185.2 11-round Camellia-192 encryptions. If the guessed b ∗ , K ∗ , δ ∗ ) is correct, the input to Round 3 must b∗ , K b∗ , K b∗ , K b∗ , K value (K 2,1 1,8 1,5 1,3 1,2 1,1 have the form (m1 , m2 , m3 , m4 , m5 , m6 , m7 , m8 , x, m9 , m10 , m11 , m12 , m13 , m14 , m15 ), where m1 , m2 , · · · , m15 are indeterminate constants. 1+5 Step 3 has a time complexity of about 256 × 256 × 8×11 ≈ 260.2 11-round Camellia-192 encryptions. Step 4 has a time complexity of approximately 256+114 175.4 ×256 × 8+5+1 11-round Camellia-192 encryptions. In Step 4, for the 8×11 ≈ 2 −1 b 1,1 , K b 1,2 , K b 1,3 , K b 1,5 , K b 1,8 , K2,1 , K b 9,6 , correct guess of (P (KW3 )[41 ∼ 42], δ, K (0) (1) (255) b 10,2 , K b 10,3 , K b 10,5 , K b 10,7 , K b 10,8 , K b 11 ), the sequence (T , T , · · · , T K ) must −1 b 1,1 , match a sequence in LΥ ; for a wrong guess of (P (KW3 )[41 ∼ 42], δ, K b b b b b b b b b b b K1,2 , K1,3 , K1,5 , K1,8 , K2,1 , K9,6 , K10,2 , K10,3 , K10,5 , K10,7 , K10,8 , K11 ), the probability that the sequence (T (0) , T (1) , · · · , T (255) ) matches a sequence in LΥ is ap( 179 ) 179 proximately 1 − 2 0 (2−512 )0 (1 − 2−512 )2 ≈ 2−512 × 2179 = 2−333 , (assuming the event has a binomial distribution). Consequently, it is expected that at most b 1,1 , K b 1,2 , K b 1,3 , K b 1,5 , 256+114 ×2−333 = 2−163 values for (P−1 (KW3 )[41 ∼ 42], δ, K b 1,8 , K2,1 , K b 9,6 , K b 10,2 , K b 10,3 , K b 10,5 , K b 10,7 , K b 10,8 , K b 11 ) are recorded in Step 4, that K is very likely to be the correct subkey guess. Since 8 bits of KB can be known

12

from K2,1 , we can find out the correct user key with a time complexity of at 6 most 2120 × 11 ≈ 2119.2 11-round Camellia-192 encryptions by using Property 4 from [22] (as well as the obtained relationship about the subkeys). Therefore, the attack has a memory complexity of 2185 bytes and a total time complexity of approximately 2185.2 11-round Camellia-192 encryptions. We can similarly attack two other series of 12-round Camellia-256 with FL/FL−1 and whitening functions, i.e., Rounds 7 to 17 and Rounds 13 to 23. 3.5

Attacking 12-Round Camellia-256 without Whitening Functions

We can use the 6-round MitM property given in Proposition 1-2 to mount an MitM attack on 12-round Camellia-256 with FL/FL−1 functions, excluding the whitening functions. We attack Rounds 7 to 18, and choose ω = 1, where we guess (K7,1 , K7,2 , K7,3 , K7,5 , K7,8 , K8,1 , K15,6 , K16,2 , K16,3 ,K16,5 ,K16,7 ,K16,8 ,K17 ,K18 ), plus a secret 8-bit parameter δ with a similar meaning as the one from the above 10-round Camellia-128 attack. We have the following property for Camellia-256. Property 3 For Camellia-256, given a value for (K7,1 , K7,2 , K7,3 , K7,5 , K7,8 , K8,1 ) there are only 158 unknown bits for (K15,6 , K16,2 , K16,3 , K16,5 , K16,7 , K16,8 , K17 , K18 ). Similarly, the attack requires 256 chosen plaintexts and a memory of 2179 × 1 256 × 82 = 2185 bytes, and has a total time complexity of 2179 × 256 × 3 × 12 + 8+8+5+1 56+158 219.9 2 × 256 × 8×12 ≈ 2 12-round Camellia-256 encryptions. It is noteworthy that we can also break two other series of 12-round Camellia256 with FL/FL−1 functions, namely Rounds 1 to 12 and Rounds 13 to 24. Similarly, the attack has the same data and memory complexity as the above 12-round Camellia-256 attack, but has a total time complexity of approximately 256+176 × 256 × 8+8+5+1 ≈ 2237.9 12-round Camellia-256 encryptions. 8×12 3.6

Attacking 12-Round Camellia-256 with Whitening Functions

The 6-round MitM property can enable us to conduct an MitM attack on 12round Camellia-256 with FL/FL−1 and whitening functions, by making use of an equivalent structure of 12-round Camellia similar to the 11-round structure depicted in Fig. 1-(b). Here we attack Rounds 1 to 12, and choose ω = 1. The attack is basically the version of the 11-round Camellia-192 attack given in Section 3.4 when one more round is appended at the end. As a result, the attack requires 256 chosen plaintexts and a memory of 2185 bytes, and has a total time complexity of at most 256+178 × 256 × 8+8+5+1 ≈ 2239.9 12-round Camellia-256 8×12 encryptions.

4

HO-MitM Attacks on 10-Round Camellia-128, 11-Round Camellia-192 and 12-Round Camellia-256

It can be easily seen from the proof of the 5 and 6-round MitM properties that a few 1-bit constants can be cancelled if we take XOR under two different inputs;

13

such a resulting attack is termed a HO-MitM attack by definition in [23] (As mentioned in [23], this type of HO-MitM attacks appeared under the name of MitM attacks before). In this section we briefly describe certain of these HOMitM attacks based on 5 and 6-round HO-MitM properties obtained by taking XOR under two different inputs in the above 5 and 6-round MitM properties. 4.1

HO-MitM Properties for 5 and 6-Round Camellia

Because A ⊕ A = 0, (A ∩ C) ⊕ (B ∩ C) = (A ⊕ B) ∩ C and (A ∪ C) ⊕ (B ∪ C) = (A⊕B)⊕(A⊕B)∩C, where A, B, C are blocks of the same length, from the proof in the Appendix we learn that: (1) If we take XOR between two inputs from the 5-round MitM property with ω = 0, then fifteen 1-bit constant parameters can be cancelled, namely KI2 [42, 49, 50], b1 [2], b2 [2], b3 [1, 2], b4 [1], b5 [1, 2], b6 [1, 2], b7 [1, 2], b8 [1]; and (2) If we take XOR between two inputs from the 6-round MitM property with ω = 1, then twenty 1-bit constant parameters can be cancelled, namely eb1 [2, 3], eb2 [1, 2, 3], eb3 [1, 2], eb4 [2, 3], eb5 [1, 2, 3], eb6 [1, 2, 3], eb7 [1, 2], eb8 [1, 2, 3]. More formally, we have the following 5 and 6-round HO-MitM properties. Proposition 2. Suppose X (i) is defined as in Proposition 1. Let i1 , i2 ∈ {1, 2,· · · , 256} and i1 ̸= i2 , then: (i)

(i)

1. If Z (i) = (ZL ||ZR ) is the result of encrypting X (i) using Rounds 4 to 8 (i ) with the FL/FL−1 functions between Rounds 6 and 7, then P−1 (ZR 1 ⊕ (i2 ) ZR )[49] can be expressed with a function of x(i1 ) , x(i2 ) and 85 constant 1-bit parameters. (i) (i) 2. If Z (i) = (ZL ||ZR ) is the result of encrypting X (i) using Rounds 3 to 8 (i ) −1 with the FL/FL functions between Rounds 6 and 7, then P−1 (ZR 1 ⊕ (i ) ZR 2 )[41 ∼ 42] can be expressed with a function of x(i1 ) , x(i2 ) and 159 constant 1-bit parameters. 4.2

Attacking 10-Round Camellia-128 without Whitening Functions

We can use Proposition 2-1 to make a HO-MitM attack corresponding to the MitM attack on 10-round Camellia-128 given in Section 3.2, here we fix i1 to a value and let i2 take all the other 255 values. The HO-MitM attack requires 256 chosen plaintexts and a memory of 285 × 255 × 18 ≈ 290 bytes, and has a time 1 121.5 complexity of approximately 285 × 256 × 2 × 10 + 256+60 × 256 × 8+5+1 8×10 ≈ 2 10-round Camellia-128 encryptions. 4.3

Attacking 11-Round Camellia-192 with Whitening Functions

Based on Proposition 2-2, the HO-MitM attack on the first 11 rounds of Camellia192 with FL/FL−1 and whitening functions, corresponding to the MitM attack on 11-round Camellia-192 given in Section 3.4, requires 256 chosen plaintexts and

14

a memory of 2159 × 255 × 28 ≈ 2165 bytes, and has a time complexity of approxi1 173.4 mately 2159 ×256×3× 11 +256+112 ×256× 8+5+1 11-round Camellia-192 8×11 ≈ 2 −1 encryptions. Note that we do not need to guess P (KW3 )[41 ∼ 42], since it is cancelled after an XOR operation. 4.4

Attacking 12-Round Camellia-256 with Whitening Functions

Similar to the MitM attack on 12-round Camellia-256 given in Section 3.6, Proposition 2-2 can also be used to conduct a HO-MitM attack on the first 12 rounds of Camellia-256 with FL/FL−1 and whitening functions, which requires 256 chosen plaintexts and a memory of 2159 ×255× 28 ≈ 2165 bytes, and has a time 1 complexity of approximately 2159 ×256×3× 12 +256+176 ×256× 8+8+5+1 ≈ 2237.9 8×12 12-round Camellia-256 encryptions. We notice that recently Chen and Li [6] published an MitM attack on 12round Camellia-256 with FL/FL−1 and whitening functions, which is actually a HO-MitM attack by definition in [23], building on a 7-round property with 224 constant 1-bit parameters. When constructing the 7-round property, Chen and Li cancelled four 1-bit constant parameters by taking XOR under two different inputs. Likewise, we observe that eight other 1-bit constant parameters were cancelled actually, too. Thus, the 7-round property involves 221 constant 1bit parameters, and the resulting attack requires 219 chosen plaintexts and a memory of 2221 bytes and has a time complexity of 2223.2 12-round Camellia-256 encryptions.

5

Concluding Remarks

In this paper, we have analysed the security of Camellia against the MitM attack in detail, following the work in [23]. We have presented 5 and 6-round MitM properties of Camellia, that can be used to conduct MitM attacks on 10round Camellia-128 with the FL/FL−1 functions, 11-round Camellia-192 with the FL/FL−1 and whitening functions and 12-round Camellia-256 with the FL/FL−1 and whitening functions. We have also described 5 and 6-round HOMitM properties of Camellia, obtained from the 5 and 6-round MitM properties by taking XOR under two inputs to cancel some constant parameters, which can be used to break the same numbers of rounds as the MitM attacks. Our results show that as far as Camellia is concerned, the semi-advanced MitM attack technique is more efficient than or at least as efficient as the advanced cryptanalytic techniques studied, except impossible differential cryptanalysis; in this latter case the MitM attacks are one or two rounds inferior to the best newly emerging impossible differential cryptanalysis results from [2,21]. We attribute these MitM attacks to the fact that the FL−1 function does not have a good avalanche effect (i.e., an output bit relies on a large number of the bits of the input and the subkey used). If the FL−1 function were modified to have a good avalanche effect, then those MitM properties would involve a large number of unknown 1-bit constant parameters, and the resulting MitM

15

attacks would be ineffective for the resulting cipher, but nevertheless it does not necessarily resist the HO-MitM attack technique, for those HO-MitM attacks described in [23] work as long as that integral property of Camellia holds (canceling the FL−1 function). Actually, if the FL/FL−1 functions had had a good avalanche effect, the Camellia cipher could also have withstood the best currently known cryptanalytic results that are the newly emerging impossible differential cryptanalysis results from [2, 21]. In this sense, the FL/FL−1 functions do play an important role in the security of Camellia. Acknowledgments. The authors thank the anonymous referees for their comments on this paper.

References 1. Aoki, K., Ichikawa, T., Kanda, M., Matsui, M., Moriai, S., Nakajima, J., Tokita, T.: Camellia: a 128-bit block cipher suitable for multiple platforms — design and analysis. In: Stinson, D.R., Tavares, S.E. (eds.) SAC 2000. LNCS, vol. 2012, pp. 39– 56. Springer, Heidelberg (2001) 2. Bai, D., Li, L.: New impossible differential attacks on Camellia. In: Ryan, M.D., Smyth, B., Wang, G., (eds.) ISPEC 2012. LNCS, vol. 7232, pp. 80–96. Springer, Heidelberg (2012) 3. Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Heidelberg (1999) 4. Biham, E., Dunkelman O., Keller, N.: The rectangle attack — rectangling the Serpent. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 340– 357. Springer, Heidelberg (2001) 5. Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. Journal of Cryptology 4(1), 3–72. Springer (1991) 6. Chen, J., Li, L.: Low data complexity attack on reduced Camellia-256. In: Susilo, W., Mu, Y., Seberry, J. (eds.) ACISP 2012. LNCS, vol. 7372, pp. 101–114. Springer, Heidelberg (2012) 7. Chen, J., Jia, K., Yu, H., Wang, X.: New impossible differential attacks of reducedround Camellia-192 and Camellia-256. In: Hawkes, P., Parampalli, U. (eds.) ACISP 2011. LNCS, vol. 6812, pp. 16–33. Springer, Heidelberg (2011) 8. CRYPTREC — Cryptography Research and Evaluatin Committees, report 2002 (2003) 9. Daemen, J., Knudsen, L.R., Rijmen, V.: The block cipher Square. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997) 10. Demirci, H., Sel¸cuk, A. A.: A meet-in-the-middle attack on 8-round AES. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 116–126. Springer, Heidelberg (2008) 11. Diffie, W., Hellman, M.: Exhaustive cryptanalysis of the NBS data encryption standard. Computer 10(6), pp. 74–84. IEEE (1977) 12. Duo, L., Li, C., Feng, K.: New observation on Camellia. In: Preneel, B., Tavares, S.E. (eds.) SAC 2005. LNCS, vol. 3897, pp. 51–64. Springer, Heidelberg (2006) 13. Hatano, Y., Sekine, H., Kaneko, T.: Higher order differential attack of Camellia(II). In: Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp.39–56. Springer, Heidelberg (2003)

16 14. Hellman, M.E.: A cryptanalytic time–memory trade-off. IEEE Transcations on Information Theory 26(4), 401–406 (1980) 15. Hu, Y., Zhang, Y., Xiao, G.: Integral cryptanalysis of SAFER+. Electronics Letters 35(17), 1458–1459. IEE (1999) 16. International Standardization of Organization (ISO), International Standard – ISO/IEC 18033-3, Information technology – Security techniques – Encryption algorithms – Part 3: Block ciphers, 2005 17. Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995) 18. Knudsen, L.R.: DEAL — a 128-bit block cipher. Technical report, Department of Informatics, University of Bergen, Norway (1998) 19. Knudsen, L.R., Wagner, D.: Integral cryptanalysis. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 112–127. Springer, Heidelberg (2002) 20. Lai, X.: Higher order derivatives and differential cryptanalysis. In: Communications and Cryptography, pp. 227–233. Academic Publishers (1994) 21. Liu, Y., Li, L., Gu, D., Wang, X., Liu, Z., Chen, J., Li, W.: New observations on impossible differential cryptanalysis of reduced-round Camellia. In: Canteaut, A. (ed.) FSE 2012. LNCS 7549, to appear. Springer, Heidelberg (2012) 22. Lu, J., Wei, Y., Kim, J., Fouque, P.-A.: Cryptanalysis of reduced versions of the Camellia block cipher. In: Miri, A., Vaudenay, S. (eds.) Pre-proceedings of SAC 2011. http://sac2011.ryerson.ca/SAC2011/LWKF.pdf. An editorially revised version is to appear in IET Information Security. 23. Lu, J., Wei, Y., Kim, J., Pasalic, E.: The higher-order meet-in-the-middle attack and its application to the Camellia block cipher. Presented in part at the First Asian Workshop on Symmetric Key Cryptography (ASK 2011), August 2011, Singapore. https://sites.google.com/site/jiqiang/HO-MitM.pdf 24. Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994) 25. NESSIE — New European Schemes for Signatures, Integrity, and Encryption, final report of European project IST-1999-12324 (2004) 26. Wu, W., Feng, D., Chen, H.: Collision attack and pseudorandomness of reducedround Camellia. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 256–270. Springer, Heidelberg (2005) 27. Wagner, D.: The boomerang attack. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999)

Appendix: Proof of Proposition 1 First, we have the following property for the FL/FL−1 functions. Property 4 (from [23]) Let x1 , x2 , · · · , x8 , y1 , y2 , · · · , y8 be 8-bit blocks and KI be a 64-bit subkey. 1. If (y1 ||y2 || · · · ||y8 ) = FL(x1 ||x2 || · · · ||x8 , KI), then y1 = ((((x1 [2 ∼ 8]||x2 [1]) ∩ KI[2 ∼ 9]) ⊕ x5 ) ∪ KI[33 ∼ 40]) ⊕ x1 , y2 = ((((x2 [2 ∼ 8]||x3 [1]) ∩ KI[10 ∼ 17]) ⊕ x6 ) ∪ KI[41 ∼ 48]) ⊕ x2 , y3 = ((((x3 [2 ∼ 8]||x4 [1]) ∩ KI[18 ∼ 25]) ⊕ x7 ) ∪ KI[49 ∼ 56]) ⊕ x3 ,

17

y4 = ((((x4 [2 ∼ 8]||x1 [1]) ∩ KI[26 ∼ 32, 1]) ⊕ x8 ) ∪ KI[57 ∼ 64]) ⊕ x4 , y5 = ((x1 [2 ∼ 8]||x2 [1]) ∩ KI[2 ∼ 9]) ⊕ x5 , y6 = ((x2 [2 ∼ 8]||x3 [1]) ∩ KI[10 ∼ 17]) ⊕ x6 , y7 = ((x3 [2 ∼ 8]||x4 [1]) ∩ KI[18 ∼ 25]) ⊕ x7 , y8 = ((x4 [2 ∼ 8]||x1 [1]) ∩ KI[26 ∼ 32, 1]) ⊕ x8 . 2. If (y1 ||y2 || · · · ||y8 ) = FL−1 (x1 ||x2 || · · · ||x8 , KI), then y1 = (x5 ∪ KI[33 ∼ 40]) ⊕ x1 , y2 = (x6 ∪ KI[41 ∼ 48]) ⊕ x2 , y3 = (x7 ∪ KI[49 ∼ 56]) ⊕ x3 , y4 = (x8 ∪ KI[57 ∼ 64]) ⊕ x4 , y5 = ((((x5 [2 ∼ 8]||x6 [1]) ∪ KI[34 ∼ 41]) ⊕ (x1 [2 ∼ 8]||x2 [1])) ∩ KI[2 ∼ 9]) ⊕ x5 , y6 = ((((x6 [2 ∼ 8]||x7 [1]) ∪ KI[42 ∼ 49]) ⊕ (x2 [2 ∼ 8]||x3 [1])) ∩ KI[10 ∼ 17]) ⊕ x6 , y7 = ((((x7 [2 ∼ 8]||x8 [1]) ∪ KI[50 ∼ 57]) ⊕ (x3 [2 ∼ 8]||x4 [1])) ∩ KI[18 ∼ 25]) ⊕ x7 , y8 = ((((x8 [2 ∼ 8]||x5 [1]) ∪ KI[58 ∼ 64, 33]) ⊕ (x4 [2 ∼ 8]||x1 [1])) ∩ KI[26 ∼ 32, 1]) ⊕ x8 . (i)

When encrypting X (i) , we denote by Yt the value immediately after the S (i) operation of Round t, and by Wt the value immediately after the P operation of Round t, (3 6 t 6 8). We have Eq. (1) for Rounds 4 to 8 and have Eq. (2) for Rounds 3 to 8. P−1 (ZR ) = P−1 (FL−1 (XL ⊕ W5 , KI2 )) ⊕ Y7 . (i)

−1

P

(i) (ZR )

−1

=P

−1

(FL

(i)

(i)

(i) (XR

(i) W3

⊕

(i)

⊕

(i) W5 , KI2 ))

(1) ⊕

(i) Y7 .

(2)

We first prove Proposition 1-1, and focus on encrypting X (i) through Rounds 4 to 8 below. The output of Round 4 is as follows, where a1 , a2 , · · · , a8 are 8-bit constants completely determined by m1 , m2 , · · · , m15 and K4 . (i)

(i)

L4 = (x(i) ⊕a1 , a2 , a3 , a4 , a5 , a6 , a7 , a8 ), R4 = (m1 , m2 , m3 , m4 , m5 , m6 , m7 , m8 ). The output of Round 5 is as follows, where b, b1 , · · · , b8 are 8-bit constants completely determined by m1 , m2 , · · · , m8 , a1 , a2 , · · · , a8 and K5 : (i)

(i)

(i)

(i)

(i)

(i)

(i)

(i)

(i)

(i)

L5 = (L5,1 , L5,2 , L5,3 , L5,4 , L5,5 , L5,6 , L5,7 , L5,8 ), R5 = (x(i) ⊕a1 , a2 , a3 , · · · , a8 ), with (i) (i) (i) L5,1 = S1 (x(i) ⊕ b) ⊕ b1 , L5,2 = S1 (x(i) ⊕ b) ⊕ b2 , L5,3 = S1 (x(i) ⊕ b) ⊕ b3 , (i) (i) (i) L5,4 = b4 , L5,5 = S1 (x(i) ⊕ b) ⊕ b5 , L5,6 = b6 , (i) (i) L5,7 = b7 , L5,8 = S1 (x(i) ⊕ b) ⊕ b8 .

18

The output immediately before the FL/FL−1 functions is as follows, where d1 = b1 ⊕ K6,1 , d2 = b2 ⊕ K6,2 , d3 = b3 ⊕ K6,3 , d4 = b5 ⊕ K6,5 , d5 = b8 ⊕ K6,8 ; and e1 , e2 , · · · , e8 are 8-bit constants completely determined by a1 , a2 , · · · , a8 and b 1 , b2 , · · · , b8 : b (i) = (L b (i) , L b (i) , L b (i) , L b (i) , L b (i) , L b (i) , L b (i) , L b (i) ), R b(i) = (L(i) , L(i) , · · · , L(i) ), L 6 6,1 6,2 6,3 6,4 6,5 6,6 6,7 6,8 6 5,1 5,2 5,8 with b (i) = S1 (S1 (x(i) ⊕ b) ⊕ d1 ) ⊕ S3 (S1 (x(i) ⊕ b) ⊕ d3 ) ⊕ S8 (S1 (x(i) ⊕ b) ⊕ d5 ) ⊕ L 6,1 x(i) ⊕ e1 , b (i) = S1 (S1 (x(i) ⊕ b) ⊕ d1 ) ⊕ S2 (S1 (x(i) ⊕ b) ⊕ d2 ) ⊕ S5 (S1 (x(i) ⊕ b) ⊕ d4 ) ⊕ L 6,2 S8 (S1 (x(i) ⊕ b) ⊕ d5 ) ⊕ e2 , b (i) = S1 (S1 (x(i) ⊕ b) ⊕ d1 ) ⊕ S2 (S1 (x(i) ⊕ b) ⊕ d2 ) ⊕ S3 (S1 (x(i) ⊕ b) ⊕ d3 ) ⊕ L 6,3 S5 (S1 (x(i) ⊕ b) ⊕ d4 ) ⊕ S8 (S1 (x(i) ⊕ b) ⊕ d5 ) ⊕ e3 , b (i) = S2 (S1 (x(i) ⊕ b) ⊕ d2 ) ⊕ S3 (S1 (x(i) ⊕ b) ⊕ d3 ) ⊕ S5 (S1 (x(i) ⊕ b) ⊕ d4 ) ⊕ e4 , L 6,4 b (i) = S1 (S1 (x(i) ⊕ b) ⊕ d1 ) ⊕ S2 (S1 (x(i) ⊕ b) ⊕ d2 ) ⊕ S8 (S1 (x(i) ⊕ b) ⊕ d5 ) ⊕ e5 , L 6,5 b (i) = S2 (S1 (x(i) ⊕ b) ⊕ d2 ) ⊕ S3 (S1 (x(i) ⊕ b) ⊕ d3 ) ⊕ S5 (S1 (x(i) ⊕ b) ⊕ d4 ) ⊕ L 6,6 S8 (S1 (x(i) ⊕ b) ⊕ d5 ) ⊕ e6 , b (i) = S3 (S1 (x(i) ⊕ b) ⊕ d3 ) ⊕ S5 (S1 (x(i) ⊕ b) ⊕ d4 ) ⊕ S8 (S1 (x(i) ⊕ b) ⊕ d5 ) ⊕ e7 , L 6,7 b (i) = S1 (S1 (x(i) ⊕ b) ⊕ d1 ) ⊕ S5 (S1 (x(i) ⊕ b) ⊕ d4 ) ⊕ e8 . L 6,8 b , KI1 )[49 ∼ 56] is determined only by By Property 4-1, we know that FL(L 6 (i) b (i) , KI1 )[49 ∼ KI1 [18 ∼ 25]. Thus, Y7 [49 ∼ (49+ω)] = S7 (FL(L 6 56] ⊕ K7,7 )[49 ∼ (49 + ω)] is determined only by (x(i) , b, d1 , d2 , · · · , d5 , e3 , e4 , l1 , KI1 [26 ∼ 32, 1]), where l1 = e7 ⊕ K7,7 . (i) (i) b(i) , by Property 4-2 we know that P−1 (FL−1 (X (i) ⊕ Since XL ⊕ W5 = R 6 L (i) b(i) , KI2 ))[49 ∼ (49+ω)] is determined W5 , KI2 ))[49 ∼ (49+ω)] = P−1 (FL−1 (R 6 only by (x(i) , b, b1 [2 ∼ (2 + ω)], b2 [2 ∼ (2 + ω)], b3 [1 ∼ (2 + ω)], b4 [1 ∼ (1 + ω)], b5 [1 ∼ (2 + ω)], b6 [1 ∼ (2 + ω)], b7 [1 ∼ (2 + ω)], b8 [1 ∼ (1 + ω)], KI2 [2 ∼ (2 + ω), 10 ∼ (10 + ω), 18 ∼ (18 + ω), 34 ∼ (34 + ω), 42 ∼ (42 + ω), 49 ∼ (50 + ω), 57 ∼ (57 + ω)]). (i) (i) (i) So P−1 (FL−1 (XL ⊕ W5 , KI2 ))[49 ∼ (49 + ω)] ⊕ Y7 [49 ∼ (49 + ω)] is (i) determined by x and b, d1 , d2 , · · · , d5 , e3 , e4 , l1 , b1 [2 ∼ (2 + ω)], b2 [2 ∼ (2 + ω)], b3 [1 ∼ (2 + ω)], b4 [1 ∼ (1 + ω)], b5 [1 ∼ (2 + ω)], b6 [1 ∼ (2 + ω)], b7 [1 ∼ (2 + ω)], b8 [1 ∼ (1 + ω)], KI1 [26 ∼ 32, 1], KI2 [2 ∼ (2 + ω), 10 ∼ (10 + ω), 18 ∼ (18 + ω), 34 ∼ (34 + ω), 42 ∼ (42 + ω), 49 ∼ (50 + ω), 57 ∼ (57 + ω)]), a total of 100 + 15 × ω constant 1-bit parameters. Proposition 1-1 follows from Eq. (1). (i) (i) We next prove Proposition 1-2. The output (L3 , R3 ) of Round 3 is as follows, where b a1 , b a2 , · · · , b a8 are 8-bit constants completely determined by m1 , m2 , (i)

b (i) , b (i) , L b (i) , L L 6,7 6,4 6,3

19

· · · , m15 and K3 . (i)

(i)

a1 , b a2 , b a3 , b a4 , b a5 , b a6 , b a7 , b a8 ), R3 = (m1 , m2 , m3 , m4 , m5 , m6 , m7 , m8 ). L3 = (x(i) ⊕b The output (L4 , R4 ) of Round 4 is as follows, where bb, bb1 , · · · , bb8 are 8-bit constants completely determined by m1 , m2 , · · · , m8 , b a1 , b a2 , · · · , b a8 and K4 : (i)

(i)

(i)

(i)

(i)

(i)

(i)

(i)

(i)

(i)

(i)

(i)

L4 = (L4,1 , L4,2 , L4,3 , L4,4 , L4,5 , L4,6 , L4,7 , L4,8 ), R4 = (x(i) ⊕b a1 , b a2 , b a3 , · · · , b a8 ), with (i) (i) (i) L4,1 = S1 (x(i) ⊕ bb) ⊕ bb1 , L4,2 = S1 (x(i) ⊕ bb) ⊕ bb2 , L4,3 = S1 (x(i) ⊕ bb) ⊕ bb3 , (i) (i) (i) L4,4 = bb4 , L4,5 = S1 (x(i) ⊕ bb) ⊕ bb5 , L4,6 = bb6 , (i) (i) L4,7 = bb7 , L4,8 = S1 (x(i) ⊕ bb) ⊕ bb8 . (i) (i) The output (L5 , R5 ) of Round 5 is as follows, where db1 , db2 , · · · , db5 are 8-bit constants completely determined by bb1 , bb2 , · · · , bb8 and K5 ; and eb1 , eb2 , · · · , eb8 are 8-bit constants completely determined by b a1 , b a2 , · · · , b a8 , bb1 , bb2 , · · · , bb8 and K5 : (i)

(i)

(i)

(i)

(i)

(i)

(i)

(i)

(i)

(i)

(i)

(i)

(i)

L5 = (L5,1 , L5,2 , L5,3 , L5,4 , L5,5 , L5,6 , L5,7 , L5,8 ), R5 = (L4,1 , L4,2 , · · · , L4,8 ), with (i) L5,1 = S1 (S1 (x(i) ⊕ bb) ⊕ db1 ) ⊕ S3 (S1 (x(i) ⊕ bb) ⊕ db3 ) ⊕ S8 (S1 (x(i) ⊕ bb) ⊕ db5 ) ⊕

x(i) ⊕ eb1 , (i) L5,2 = S1 (S1 (x(i) ⊕ bb) ⊕ db1 ) ⊕ S2 (S1 (x(i) ⊕ bb) ⊕ db2 ) ⊕ S5 (S1 (x(i) ⊕ bb) ⊕ db4 ) ⊕

(i)

L5,3 (i)

L5,4

S8 (S1 (x(i) ⊕ bb) ⊕ db5 ) ⊕ eb2 , = S1 (S1 (x(i) ⊕ bb) ⊕ db1 ) ⊕ S2 (S1 (x(i) ⊕ bb) ⊕ db2 ) ⊕ S3 (S1 (x(i) ⊕ bb) ⊕ db3 ) ⊕ S5 (S1 (x(i) ⊕ bb) ⊕ db4 ) ⊕ S8 (S1 (x(i) ⊕ bb) ⊕ db5 ) ⊕ eb3 , = S2 (S1 (x(i) ⊕ bb) ⊕ S3 (S1 (x(i) ⊕ bb) ⊕ db3 ) ⊕ S5 (S1 (x(i) ⊕ bb) ⊕ db4 ) ⊕ eb4 ,

(i) L5,5 = S1 (S1 (x(i) ⊕ bb) ⊕ db1 ) ⊕ S2 (S1 (x(i) ⊕ bb) ⊕ db2 ) ⊕ S8 (S1 (x(i) ⊕ bb) ⊕ db5 ) ⊕ eb5 , (i) L5,6 = S2 (S1 (x(i) ⊕ bb) ⊕ db2 ) ⊕ S3 (S1 (x(i) ⊕ bb) ⊕ db3 ) ⊕ S5 (S1 (x(i) ⊕ bb) ⊕ db4 ) ⊕

(i) L5,7

S8 (S1 (x(i) ⊕ bb) ⊕ db5 ) ⊕ eb6 , = S3 (S1 (x(i) ⊕ bb) ⊕ db3 ) ⊕ S5 (S1 (x(i) ⊕ bb) ⊕ db4 ) ⊕ S8 (S1 (x(i) ⊕ bb) ⊕ db5 ) ⊕ eb7 ,

L5,8 = S1 (S1 (x(i) ⊕ bb) ⊕ db1 ) ⊕ S5 (S1 (x(i) ⊕ bb) ⊕ db4 ) ⊕ eb8 . (i)

b , KI1 )[41 ∼ 48] is determined only By Property 4-1, we know that FL(L 6 (i) b (i) b (i) b by L6,2 , L6,3 , L6,6 , KI1 [10 ∼ 17], where (i)

b (i) = S1 (L(i) ⊕ K6,1 ) ⊕ S2 (L(i) ⊕ K6,2 ) ⊕ S4 (L(i) ⊕ K6,4 ) ⊕ S5 (L(i) ⊕ K6,5 ) ⊕ L 6,2 5,1 5,2 5,4 5,5 (i) (i) S7 (L5,7 ⊕ K6,7 ) ⊕ S8 (L5,8 ⊕ K6,8 ) ⊕ S1 (x(i) ⊕ bb) ⊕ bb2 ,

b (i) = S1 (L(i) ⊕ K6,1 ) ⊕ S2 (L(i) ⊕ K6,2 ) ⊕ S3 (L(i) ⊕ K6,3 ) ⊕ S5 (L(i) ⊕ K6,5 ) ⊕ L 6,3 5,1 5,2 5,3 5,5

20 (i) (i) S6 (L5,6 ⊕ K6,6 ) ⊕ S8 (L5,8 ⊕ K6,8 ) ⊕ S1 (x(i) ⊕ bb) ⊕ bb3 ,

b (i) = S2 (L(i) ⊕ K6,2 ) ⊕ S3 (L(i) ⊕ K6,3 ) ⊕ S5 (L(i) ⊕ K6,5 ) ⊕ S7 (L(i) ⊕ K6,7 ) ⊕ L 6,6 5,2 5,3 5,5 5,7 S8 (L5,8 ⊕ K6,8 ) ⊕ bb6 . (i)

Letting n bl = ebl ⊕ K6,l and ob1 = bb6 ⊕ K7,6 , (l = 1, 2, · · · , 8), then we can learn (i,j) that Y7 [41 ∼ (41+ω)] is determined only by (x(i) , bb, bb2 , bb3 , ob1 , db1 , db2 , · · · , db5 , n b1 , n b2 , · · · , n b8 , KI1 [10 ∼ 17]). (i) (i) (i) (i) (i) (i) Since FL−1 (XR ⊕ W3 ⊕ W5 , KI2 ) = R6 , then P−1 (FL−1 (XR ⊕ W3 ⊕ (i) b(i) , KI2 ))[41 ∼ (41 + ω)] is deterW5 , KI2 ))[41 ∼ (41 + ω)] = P−1 (FL−1 (R 6 mined only by (x(i) , bb, db1 , db2 , · · · , db5 , eb1 [2 ∼ (2 + ω)], eb2 [1 ∼ (2 + ω)], eb3 [1 ∼ (1 + ω)], eb4 [2 ∼ (2 + ω)], eb5 [1 ∼ (2 + ω)], eb6 [1 ∼ (2 + ω)], eb7 [1 ∼ (1 + ω)], eb8 [1 ∼ (2 + ω)], KI2 [2 ∼ (2 + ω), 10 ∼ (10 + ω), 26 ∼ (26 + ω), 34 ∼ (34 + ω), 41 ∼ (42 + ω), 49 ∼ (49 + ω), 58 ∼ (58 + ω)]). (i) (i) (i) (i) Hence, P−1 (FL(XR ⊕W4 ⊕W6 , KI1 ))[41 ∼ (41+ω)]⊕Y7 [41 ∼ (41+ω)] (i) is determined by x and bb, bb2 , bb3 , ob1 , db1 , db2 , · · · , db5 , eb1 [2 ∼ (2 + ω)], eb2 [1 ∼ (2 + ω)], eb3 [1 ∼ (1 + ω)], eb4 [2 ∼ (2 + ω)], eb5 [1 ∼ (2 + ω)], eb6 [1 ∼ (2 + ω)], eb7 [1 ∼ (1 + ω)], eb8 [1 ∼ (2 + ω)], n b1 , n b2 , · · · , n b8 , KI1 [10 ∼ 17], KI2 [2 ∼ (2 + ω), 10 ∼ (10 + ω), 26 ∼ (26 + ω), 34 ∼ (34 + ω), 41 ∼ (42 + ω), 49 ∼ (49 + ω), 58 ∼ (58 + ω)]), a total of 164+15×ω constant 1-bit parameters. The result follows from Eq. (2).